Threat actors looking to make a quick buck have long been targeting the manufacturing industry, as their use of often-outdated systems present easy targets. Help secure your operational technology with MDR to achieve maximum impact.
The manufacturing industry, responsible for the production of transportation systems, chemicals, energy infrastructure, and more, is what keeps the well-oiled machine of the world’s economy in movement.
However, not everything is equal when it comes the manufacturing sector. There are critical nodes that most nation states identify as crucial to critical infrastructure. These include primary metals, machinery, electrical equipment and components, and transportation equipment. Preventing the disruption of these sectors in a cornerstone of national security and stability.
A targeted sector by default
For manufacturers, digital transformation has proven a double-edged sword, as while it creates improved opportunities for productivity and increased efficiencies, it also opens a Pandora’s box of issues that stem from industry use of cyber-adjacent devices reliant on operational technology (OT) and IT networks that can be abused for devastating attacks, halting production lines and threatening the existence of even larger companies and national security.
A good example of this overlap is modern supply-chain attacks. In 2021, a major US fuel pipeline carrying 2.5 million barrels a day was take offline following a ransomware attack by the DarkSide cybercriminal gang. This forced the US government to relax rules on land-based fuel transportation and made gas prices jump by around 6 percent. Reportedly, the attackers got in through an exposed VPN account password. In the end, the company opted to pay a ransom of around $5 million to get its systems back.
However, ransomware is not the only threat that may impact manufacturers. In 2017, ESET researchers revealed Industroyer, one of the biggest threats to industrial control systems. The capabilities of this malware include controlling electricity substation switches and circuit breakers directly by abusing industrial communication protocols used in power supply infrastructure, transportation control systems and other critical sectors. This means that the potential impact of an attack could cause cascading equipment damage and failures.
Reliance on old systems
Due to the manner in which suppliers, contractors, distributors, and third-party service providers are tightly interconnected, they create an expanded attack surface. If one domino falls, the rest follow. The same is true for internally connected systems, as that was how the Petya malware leveraged its access: compromising the M.E.Doc accounting software and executing a trojanized update, allowing the attackers to launch a massive global ransomware campaign.
These incidents are especially bad for critical manufacturers that use legacy systems. Unlike other industries, where outdated systems can be upgraded or replaced more easily (such as in the IT industry), manufacturing depends on expensive, specialized equipment that sometimes relies on obsolete computing systems. So, when a production plant is hit by ransomware such as LockerGoga, it could force a global operation to go into manual mode, costing millions due to lost efficiencies.
However, updating or replacing these systems often requires extended downtime, which can result in steep financial losses due to operational backlogs. This creates an environment in which cybersecurity investments and system updates are often deprioritized, creating gaps in security, which in time would undoubtedly be exploited.
A question of leadership?
The prime question here is who should take most responsibility for security failures stemming from running legacy or unsecure systems — the professional security operators doing what they can to secure a business 24/7, or the leadership who might trade short maintenance-related disruptions for ransom payments and global shutdowns?
With an average cost of a data breach in the industrial sector being $5.56 million, some thorough discussions should happen inside boardrooms as to whether such costs are acceptable.
Executives and managers play a critical role in setting the tone for how cybersecurity is prioritized and implemented across an organization. For manufacturers, this means treating cybersecurity as a fundamental business goal rather than relegating it to the IT department. In essence, leaders must allocate resources strategically, ensuring that there is a dedicated budget for cybersecurity tools, training, and personnel. What’s more, doing this in concert with process upgrades could bring major benefits in the form of enhanced productivity, netting more business in the long term.
Don’t forget about the employees
With leadership setting some firm targets for better security, they should also think about their employees. This applies less to manual operators and more to those with access to critical network-adjacent systems, who could introduce negative externalities such as malware into industrial systems. This is underlined by the 2024 Verizon Data Breach Investigations Report, which reported that 83% of breaches in manufacturing were represented by system intrusion, social engineering, and basic web application attacks.
Cybercriminals often exploit people through social engineering tactics such as phishing messages, or by introducing malware into their devices through malicious attachments/other downloads. Hence, regular cybersecurity awareness trainings should cover topics such as phishing awareness, password management, and secure data handling. Moreover, employees should be encouraged to report suspicious activity without fear of repercussions, creating an open and prevention-first security culture.
Additionally, advanced cybersecurity tools, such as endpoint security and extended detection and response solutions, are indispensable for manufacturers. These technologies offer real-time visibility into an entire business network, helping organizations detect anomalies and detect potential threats before they can escalate. This could also be contracted through a managed service, ensuring around-the-clock protection with a global reach.
ESET protecting manufacturers Managed services such as ESET MDR can provide around-the-clock security, alleviating risks stemming from solutions such as EDR, especially when a manufacturer has understaffed or underqualified security personnel. All of this is achieved without the need for heavy investment into internal resources, while still maintaining production efficiencies. ESET’s MDR offer also includes ESET Detection & Response Ultimate, a highly tailored service acting as a specialized extended security arm of its clients, supplying research-powered professionals capable of dealing with detections in only 20 minutes.
Ever-present compliance standards
Beyond the threat of external exploitation are various regulations and compliance standards that also bring penalties in the event of a lapse in security, especially where it could have been avoided.
Regulations such as NIS2 or the Machinery Regulation 2023/1230 in the European Union set out requirements for critical sectors, with the former designating manufacturing as an important sector, asking for enhanced supply-chain security, proper risk management, and reporting obligations. The latter is more specific, though, as the Machinery Regulation obliges manufacturers to create appropriate industrial security concepts, with a prime focus on cybersecurity, including a referral to the EU Cybersecurity Act in case a machine contains digital elements and connections.
On the other side of the pond, there’s the ISA/IEC 62443 series of standards, establishing requirements for maintaining the security of industrial automation and control systems. For manufacturers of medical devices, the Consolidated Appropriations Act, 2023, under section 524B, requires thorough assessments ensuring that connected devices meet cybersecurity standards such as vulnerability patching. Since governments will need to sustain focus of reliable cyber resilience, we can assume that more compliance standards for critical industries will follow.
Some practical solutions for manufacturers
To mitigate risks stemming from legacy systems, manufacturers must implement robust prevention strategies such as air gapping or network segmentation.
Air gapping involves isolating critical systems from the network entirely, preventing unauthorized access. Simply, short of inserting an infected USB, threat actors would find it harder to gain access. However, that’s also changing, as evidenced by novel ESET research. Given the growing interconnectivity, air gapping cannot be the only cyber resilience strategy for OT environments, particularly not when protecting critical infrastructure. This is why additional security, such as network segmentation, which divides the network into smaller, isolated zones, can help contain potential breaches more easily.
Essentially, these measures ensure that even if one part of the system is compromised, attackers cannot access other areas. Similarly, a high grade of protection could be achieved with a managed detection and response service like ESET MDR, preventing sophisticated threats from impacting manufacturing processes in the first place.
Comments